Darktrace Model Breach
| Id | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 |
| Rulename | Darktrace Model Breach |
| Description | This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes. |
| Severity | Medium |
| Required data connectors | DarktraceRESTConnector |
| Kind | NRT |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml |
| Version | 1.1.0 |
| Arm template | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
triggerOperator: gt
version: 1.1.0
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SrcHostname
identifier: HostName
- entityType: Host
fieldMappings:
- columnName: DstHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DstIpAddr
identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
queryFrequency: 5m
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
dataTypes:
- darktrace_model_alerts_CL
eventGroupingSettings:
aggregationKind: AlertPerResult
name: Darktrace Model Breach
queryPeriod: 5m
severity: Medium
kind: NRT
tactics:
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
description: |
'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
relevantTechniques:
customDetails:
NetworkRuleName: NetworkRuleName
SrcMacAddr: SrcMacAddr
DtCompliance: DtCompliance
ThreatId: ThreatId
DstPortNumber: DstPortNumber
DtDeviceID: DtDeviceID
EventSeverity: EventSeverity
EventStartTime: EventStartTime
DtSentinelCategory: DtSentinelCategory
NetworkRuleNumber: NetworkRuleNumber
DstMacAddr: DstMacAddr
DtCategory: DtCategory
SrcPortNumber: SrcPortNumber
DtDescription: DtDescription
triggerThreshold: 0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: DtBreachURL
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: ProductComponentName
value: ThreatCategory
- alertProperty: Severity
value: DtSentinelCategory
alertTacticsColumnName:
alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
alertSeverityColumnName:
alertDescriptionFormat: '{{DtMessage}}'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "NRT",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Darktrace Model Breach",
"description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
"severity": "Medium",
"enabled": true,
"query": "darktrace_model_alerts_CL \n| where dtProduct_s ==\"Policy Breach\"\n| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category\n| extend EventCount=1, EventType=\"NetworkSession\", EventSchema=\"NetworkSession\", EventSchemaVersion=\"0.2.2\", EventResult=\"Success\", DvcAction = \"Allow\", EventVendor = \"Darktrace\", EventProduct = \"Darktrace DETECT\", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity\n| extend DtSentinelCategory = case(DtCategory == \"Suspicious\", \"Medium\", \n DtCategory == \"Critical\", \"High\",\n \"Informational\") \n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
"alertDescriptionFormat": "{{DtMessage}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "DtBreachURL"
},
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "ProductComponentName",
"value": "ThreatCategory"
},
{
"alertProperty": "Severity",
"value": "DtSentinelCategory"
}
],
"alertSeverityColumnName": null,
"alertTacticsColumnName": null
},
"customDetails": {
"NetworkRuleName": "NetworkRuleName",
"SrcMacAddr": "SrcMacAddr",
"ThreatId": "ThreatId",
"DtSentinelCategory": "DtSentinelCategory",
"DstPortNumber": "DstPortNumber",
"DtDeviceID": "DtDeviceID",
"EventSeverity": "EventSeverity",
"EventStartTime": "EventStartTime",
"DtCompliance": "DtCompliance",
"NetworkRuleNumber": "NetworkRuleNumber",
"DstMacAddr": "DstMacAddr",
"DtCategory": "DtCategory",
"SrcPortNumber": "SrcPortNumber",
"DtDescription": "DtDescription"
},
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "DstHostname",
"identifier": "HostName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml",
"templateVersion": "1.1.0"
}
}
]
}